Tuesday, September 6, 2022

Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting

The India native has transitioned from a reverse-engineer hobbyist to a public speaker in just a few years

 
By Jon Munshaw. 

Ninety percent of Asheer Malhotra’s work will never see the light of day. But it’s that 10 percent that keeps him motivated to keep looking for something new. 

The Talos Outreach researcher spends most of his days looking into potential new threats. Many times, that leads to dead ends of threats that have already been discovered and blocked or don’t have any additional threads to pull on. 

But eventually, the “lightbulb goes off,” as he puts it, which indicates something is a new threat the wider public needs to know about. During his time at Talos, Malhotra has spent much of his time looking into cyber attacks and state-sponsored threat actors in Asia, like the Transparent Tribe group he’s written about several times. 

“At some point, I say ‘Hey, I don’t think I’ve seen this before.’ I start analyzing public disclosures, and slowly start gaining confidence and being able to craft a narrative around the motivations and tactics around a specific threat actor or malware campaign,” he said.

In the case of Transparent Tribe, Malhotra’s tracked their growth as a major player in the threat landscape in Asia, as they’ve added several remote access trojans to their arsenal, targeted high-profile government-adjacent entities in India and expanded their scope across the region.  

When he’s not threat hunting, Malhotra also speaks to Cisco customers about the current state of cybersecurity in briefings and delivers presentations at conferences around the world (mainly virtually during the COVID-19 pandemic).  

“I always try to find the latest and new stuff to talk about. … I’ve been honing my skills and trying to speak more confidently publicly, but the confidence is backed up with the right kind of knowledge and the threat intelligence, that’s what helps me succeed,” he said.  

Malhotra is a native of India and spent most of his life there before coming to the U.S. for his master’s degree at Mississippi State University. Mississippi was a far cry from everything else he had known up until that point, but he quickly adjusted. 

“That was the ‘Deep South,’” he said. “So there was a culture shock, but the southern hospitality is such a real thing, and it felt very normal there.” 

Growing up, Malhotra always knew he wanted to work with computers, starting out as a teenager reverse-engineering exploits he’d see others talk about on the internet or just poking at smaller applications. His additional interest in politics and national security made it natural for him to combine the two and focus his research on state-sponsored actors.  

He enjoys continuing his research in the Indian subcontinent and sees many parallels between the state of security in India and the U.S. 

“These days, the Indian security scene is really budding, there’s a lot of high-profile conferences there. IT, computer science and technology is huge there, and a lot of tech companies have offices there,” he said.  

Because of India’s high concentration of tech companies, higher education and government contractors, his main concern currently is intellectual property theft. While many of the recent cybersecurity headlines center on more recent, “sexier” ransomware attacks, it’s threat actors’ double-extortion tactics that worry him the most.  

In these types of attacks, adversaries will hold files hostage for a paid ransom, following the lines of a traditional ransomware attack. But many actors are starting to threaten to leak that stolen information on the wider internet for all to see (and potentially steal or buy).  

Malhotra called ransomware the “clear and present danger” but that double extortion is becoming top-of-mind for many executives.  

The specific state-sponsored actors he’s tracked in the Asia-Pacific region, such as Transparent Tribe and MuddyWater, have matured over the years, as has Malhotra’s security experience. 

“I love seeing how these groups with different levels of competencies and skillsets try to infect their targets,” he said. “And how they’ve evolved since, say, 2016... Their net of victims has expanded, and you see the evolution of their tactics, and it’s fascinating to learn how they operate.” 

The actors and campaigns Malhotra finds often made for some entertainment, too. His work researching the newly discovered Manjusaka framework led to the now-famous “cow poop” illustration on Talos’ Twitter, and the Transparent Tribe leopard is a favorite among Talos’ “malware mascots” sticker collection

These discoveries come in a variety of forms. Malhotra said he relies on everything from open-source intelligence, Talos honeypots, telemetry sources and independent research. While this research mainly ends up manifesting itself in one of Talos’ blog posts or a presentation to a customer, Malhotra says he gets the most excitement from knowing he’s making it harder for the threat actor to strike again. While we as defenders may never be able to detect and stop every single cyber threat out there, Malhotra says the goal is to make it more expensive and more cumbersome every time for the attacker. 

“When we disclose a specific operation or campaign, the intention is to burn that campaign so [the actor] has to go back and innovate again and come up with some new TTPs [tactics, techniques and procedures],” he said. “That’s what we’re trying to do — reduce the level of motivation that they have." 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.